Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you the loophole analysis of Apache Flink CVE-2020-17518 and 17519. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Environment

Friends who already have a loophole environment can skip this section and look directly at the loophole section.

JDK is installed.

Flink installation package address: https://archive.apache.org/dist/flink/flink-1.11.2/

To satisfy both vulnerability environments, version 1.11.2 is installed here.

Decompress

# tar-zxvf flink-1.11.2-bin-scala_2.11.tgz

Modify the configuration file conf/flink-conf.yaml, where the jobmanager.rpc.address parameter is the local server IP address

Jobmanager.rpc.address: 192.168.18.169

Add remote debugging parameters

# jobmanager debug port env.java.opts.jobmanager: "- agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006" # taskmanager debug port env.java.opts.taskmanager: "- agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005"

Start the Flink service

# cd bin#. / start-cluster.sh

Look at which ports are open: 5005 and 5006 are configured debug ports, 8081 are webUI access ports, and 6123 are RPC communication ports for JobMamanger

Access servic

Stop the Flink service

Flink startup saves the ID of the started process in a file, and the relevant configuration is in the bin/config.sh file. The default is "/ tmp". Because it is a temporary directory, it will be cleaned by the system, so the stored process ID cannot be found, and the cluster cannot be shut down.

If you execute the shutdown instruction directly, you will find that it cannot be closed.

How?

Create a new directory / usr/local/flink-1.11.2/tmp to store the ID of the started process

Modify the bin/config.sh file to specify the newly created path for the DEFAULT_ENV_PID_DIR parameter

DEFAULT_ENV_PID_DIR= "/ usr/local/flink-1.11.2/tmp"

Re-execute the shutdown instruction:

#. / stop-cluster.sh

Remote debugging

The remote debugging parameters have been configured in the configuration file flink-conf.yaml of the remote Flink service above, and the debugging ports 5005 and 5006 have been opened.

The local IDEA opens the source code of the target version, here is 1.11.2, create the Remote configuration, specify Host and Port, debug the jobmanager here, and select the corresponding port.

Enable remote debugging

CVE-2020-17518

Flink introduced a REST handler in version 1.5.1, which allows an attacker to write uploaded files to files anywhere local, and to write these files to any location accessible to Flink 1.5.1 through a maliciously modified HTTP header.

Scope of influence: 1.5.1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.